Legal Agreement

Data Processing Agreement (DPA)

Terms governing the processing of personal data by SetAIComply as a processor under GDPR Article 28.

Last updated: March 2026

1. Purpose and scope

This Data Processing Agreement (hereinafter the 'DPA') supplements the Terms of Service (hereinafter the 'ToS') and defines the conditions under which SetAIComply SAS (hereinafter the 'Processor') processes personal data on behalf of the User (hereinafter the 'Controller') in the context of providing the SetAIComply SaaS platform.

This DPA is concluded pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the 'GDPR'). It applies to all processing of personal data carried out by the Processor on behalf of the Controller in connection with the use of the platform.

In the event of a conflict between the provisions of this DPA and those of the ToS, the provisions of this DPA shall prevail with respect to the processing of personal data.

2. Definitions

The terms used in this DPA have the meaning attributed to them by the GDPR, in particular:

  • 'Personal data': any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR
  • 'Processing': any operation or set of operations performed on personal data, as defined in Article 4(2) of the GDPR
  • 'Controller': the User of the SetAIComply platform who determines the purposes and means of the processing of personal data
  • 'Processor': SetAIComply SAS, which processes personal data on behalf of the Controller
  • 'Sub-processor': any processor engaged by the Processor to carry out specific processing operations on behalf of the Controller
  • 'Data breach': a breach of security leading, accidentally or unlawfully, to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data

3. Description of processing

3.1 Nature and purpose of processing

The Processor carries out the following processing on behalf of the Controller:

  • Hosting and storage of data entered by the Controller on the platform
  • Processing of data relating to AI systems for risk classification and compliance assessment
  • Generation of technical documentation using artificial intelligence services
  • Management of user accounts and authentication
  • Logging of actions for audit and traceability purposes
  • Data backup and restoration

3.2 Categories of data processed

  • User identification data: surname, first name, professional email address, job title
  • AI system data: technical descriptions, use cases, training data used, performance evaluations
  • Audit data: action logs, timestamps, user identifiers
  • Connection data: IP addresses, session logs

3.3 Categories of data subjects

  • Employees of the Controller using the platform
  • Where applicable, natural persons whose data is mentioned in the AI system descriptions entered by the Controller

3.4 Duration of processing

Processing is carried out for the entire duration of the Controller's subscription to the SetAIComply platform. Upon expiry or termination of the subscription, the provisions of Article 12 of this DPA shall apply.

4. Obligations of the Processor

The Processor undertakes to:

  • Process personal data only on documented instructions from the Controller, including with regard to transfers to a third country, unless required to do so by law to which the Processor is subject
  • Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR
  • Respect the conditions referred to in Article 28(2) and (4) of the GDPR for engaging another processor
  • Assist the Controller, by appropriate technical and organisational measures, in fulfilling the Controller's obligation to respond to requests for exercising the data subject's rights
  • Assist the Controller in ensuring compliance with the obligations set out in Articles 32 to 36 of the GDPR (security, breach notification, impact assessment)
  • At the choice of the Controller, delete or return all personal data at the end of the provision of services and destroy existing copies, unless applicable law requires storage
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and to allow for and contribute to audits

5. Obligations of the Controller

The Controller undertakes to:

  • Provide the Processor with documented instructions regarding the processing of data
  • Ensure, prior to and throughout the duration of processing, compliance with the obligations laid down by the GDPR
  • Ensure the lawfulness of the processing of data entrusted to the Processor
  • Inform the Processor of any particular obligation relating to the processing of data
  • Supervise the processing carried out by the Processor, including by conducting audits and inspections

6. Security measures

The Processor implements the following technical and organisational measures to ensure the security of personal data:

6.1 Technical measures

  • Encryption of data in transit via TLS 1.3 and at rest via AES-256
  • Hosting on French sovereign infrastructure Scaleway (datacentres located in Paris, France, ISO 27001 and HDS certified)
  • Secure authentication with password hashing (bcrypt algorithm)
  • Role-based access control (RBAC) with the principle of least privilege
  • Web application firewall (WAF) and DDoS attack protection
  • Automated and encrypted backups with a disaster recovery plan
  • Continuous infrastructure monitoring and real-time alerts
  • Network segmentation and environment isolation

6.2 Organisational measures

  • Documented and regularly updated information security policy
  • Employee awareness and training on data protection and security
  • Security incident management procedures
  • Regular security reviews and penetration testing
  • Access rights management and periodic review of access rights
  • Confidentiality commitments signed by all employees

7. Sub-processors

7.1 General authorisation

The Controller generally authorises the Processor to engage other sub-processors for the processing of personal data under this DPA. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days before the change.

7.2 Right of objection

The Controller has a period of 15 days from the notification to raise reasoned objections concerning a new sub-processor. In the event of an objection, the parties undertake to discuss in good faith in order to find a mutually acceptable solution. Failing agreement, the Controller may terminate the contract in accordance with the ToS.

7.3 List of sub-processors

As of the date of this DPA, the authorised sub-processors are as follows:

Sub-processorPurposeLocationData concerned
Scaleway SASInfrastructure hosting, databases, backupsFrance (Paris)All platform data
Stripe, Inc.Payment processingEuropean UnionBilling data, bank details
Anthropic, PBCAI documentation generation (Claude API)United StatesDescriptive data of AI systems (no directly identifying data)

7.4 Obligations applicable to sub-processors

The Processor ensures that each sub-processor is bound by data protection obligations at least equivalent to those set out in this DPA. The Processor remains fully liable to the Controller for the performance of the obligations of its sub-processors.

8. Data transfers outside the EU/EEA

The majority of personal data is hosted and processed exclusively in France, on sovereign Scaleway infrastructure.

The only data transfers outside the European Union concern descriptive data of AI systems transmitted to Anthropic, PBC (United States) for the purpose of AI documentation generation. These transfers are governed by:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission (implementing decision 2021/914 of 4 June 2021)
  • Appropriate supplementary measures, including encryption of data in transit and minimisation of data transmitted
  • A specific data processing agreement with Anthropic, PBC, ensuring that data is not used for training AI models

No directly identifying data (surname, first name, email address) is transferred to Anthropic in the normal course of using the platform.

9. Rights of data subjects

The Processor assists the Controller in fulfilling its obligation to respond to requests for exercising the rights of data subjects (access, rectification, erasure, restriction, portability, objection).

When the Processor receives a request directly from a data subject, it shall inform the Controller without undue delay and shall not respond to the request without instructions from the Controller, unless required by law.

The Processor makes available to the Controller, via the platform, the technical tools necessary to facilitate the exercise of data subject rights, in particular data export and deletion.

10. Data breach notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach. This notification shall include at a minimum:

  • The nature of the breach, including, where possible, the categories and approximate number of data subjects and data records concerned
  • The name and contact details of the point of contact from whom more information can be obtained
  • The likely consequences of the breach
  • The measures taken or proposed to remedy the breach, including measures to mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take all reasonable steps to assist the Controller in complying with its obligations to notify the supervisory authority (Article 33 of the GDPR) and data subjects (Article 34 of the GDPR).

11. Audits and inspections

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and to allow for audits, including inspections, by the Controller or an auditor mandated by the Controller.

Audits are subject to the following conditions:

  • The Controller shall submit a written request at least 30 days before the planned date of the audit
  • The audit shall be carried out during normal business hours and shall not disproportionately disrupt the Processor's activities
  • The Controller shall bear the costs of the audit, unless the audit reveals a failure by the Processor to comply with its obligations
  • One audit per year is included under the contract. Any additional audit is subject to the Processor's prior agreement and shall be invoiced separately
  • The mandated auditor shall be subject to appropriate confidentiality obligations

The Processor may also provide existing audit reports or certifications (ISO 27001, SOC 2 reports) as a means of demonstrating compliance with its obligations.

12. Fate of data at end of contract

Upon expiry or termination of the subscription, the Controller has a period of 30 days to download all of its data via the platform's export features. Data is exportable in structured and commonly used formats (JSON, CSV).

At the end of this 30-day period, and unless otherwise instructed by the Controller, the Processor shall permanently delete all personal data processed on behalf of the Controller within an additional 60 days.

The Processor may retain data beyond these periods only where required by EU or French law (in particular billing data retained for 10 years in accordance with the Commercial Code and connection data retained for 12 months in accordance with Decree No. 2011-219). The Processor shall inform the Controller of any applicable legal retention obligation.

A deletion certificate shall be issued to the Controller upon request at the end of the deletion procedure.

13. Data protection impact assessment

Where the Controller is required to carry out a data protection impact assessment (DPIA) within the meaning of Article 35 of the GDPR, the Processor shall provide the Controller with the reasonable assistance necessary to carry out that assessment, taking into account the nature of the processing and the information available to the Processor.

14. Record of processing activities

In accordance with Article 30(2) of the GDPR, the Processor maintains a record of all categories of processing activities carried out on behalf of the Controller. This record is made available to the CNIL upon request.

15. Liability

Each party is liable for damages caused by processing that does not comply with the GDPR obligations incumbent upon it, in accordance with Articles 82 and 83 of the GDPR.

The Processor shall be liable for damages caused by processing only where it has not complied with the GDPR obligations specifically directed at processors or where it has acted outside of or contrary to the lawful instructions of the Controller.

16. Duration and termination

This DPA takes effect on the date of the Controller's registration on the platform and remains in force for as long as the Processor processes personal data on behalf of the Controller.

The obligations relating to confidentiality, security, and the fate of data at the end of the contract shall survive the termination of this DPA.

17. Applicable law and jurisdiction

This DPA is governed by French law. Any dispute relating to its interpretation, performance, or termination shall be submitted to the exclusive jurisdiction of the competent courts of Paris.

18. Contact

For any questions regarding this DPA or the processing of personal data, you may contact our Data Protection Officer:

  • Email: [email protected]
  • Address: SetAIComply SAS - Data Protection Officer - Paris, France